News19 has learn that the South Carolina Department of Revenue (SCDOR) hired the security company Trustwave in 2005 to monitor and protect sensitive data.

On November 5th, under the Freedom of Information Act, News19 requested that the Department of Revenue turn over the the contracts between them, Experian, and Trustwave. Wednesday November 14, we were given copies of both contracts.

According spokesperson Samantha Cheek with the SCDOR:

"The focus of Trustwave was to enable DOR to become compliant with the rules of the Payment Card Industry (PCI). During the time of the breach, DOR had other security features in place including two firewalls, regular virus scanning of all desktop and laptop machines, web filtering and spam filtering, and Social Security numbers and other data were encrypted in transit."

According to the contract, the Department of Revenue spent $231,000 over the last five years on security from Trustwave.

Their contract, that runs through 2016, specifes that Trustwave's main focus is to protect credit card data at the Department of Revenue. They did this by 24 hour monitoring and a once a month vulnerability scan.

The second contract News19 has received is from Experian, the company the state hired to monitor your credit since the breach.

The contract is for a flat fee of $12 million dollars. Cheek tells News19 the following:

"The Governor stepped in to negotiate the Experian cost at a cap of $12 million; statistics show that enough taxpayers have already signed up to meet this capped figure and we are continuing to reach out to taxpayers in order to increase sign ups."

The Experian contract does confirm that family secure services are offered to protect the dependants on your tax forms. It also notes the state has to pay a fee of twenty cents per call to the Experian call center that is worked into the flat rate.

The Department of Revenue also shed some light on the security protections that were in place inside their department. In an email to News19 they tell us that during the time of the breach, they had two firewalls, regular virus scanning of all desktop and laptop machines, as well as web and spam filtering.

We know they were also receiving some protection through state's DSIT data monitoring system at the time.